Depersonalization Could Aide Hard-to-implement GDPR
By Wright Studio/shutterstock.com
One year on from the introduction of EU-wide GDPR regulations, the Budapest Business Journal asks local legal experts how implementation has fared, and what might be next.
The European Union decided to establish its new European privacy framework, which came into force on May 25, 2018 because lawmakers in the bloc felt that the protective landscape was fragmented, and caused confusion to organizations and individuals alike.
According to many, the EU’s General Data Protection Regulation reform is the toughest data protection law in the world. While a set of principles safeguarding the personal data of individuals had been sorely needed for several years before GDPR came along, currently it appears that the year-old code is posing an incredible documentation burden on businesses and is hard to implement.
Businesses are still facing serious challenges in meeting GDPR guidelines for deleting personal data stored without legal basis. In order to counter such a documentation burden, Deloitte says that the depersonalization of data may come up as an alternative, although the Big Four consultancy says it is important to develop an appropriate strategy to balance business interests with regulatory compliance.
Based on its market experience, Deloitte says that technical and feasibility problems make it difficult to follow GDPR in relation to the introduction and operation of data security controls.
Beyond GDPR, however, the legal offices of companies seem to be in need to optimize their operating models to keep up with the changes spurred by the legislative environment and digitalization, EY said based on a recent survey conducted with the involvement of 1,000+ legal managers. For more on this, see page 25.
Despite being a complex set of legal guidelines in its own right, thus far it appears that the biggest challenge related to GDPR remains the deletion of unauthorized personal data stored in the digital systems of companies, as well as the depersonalization of test and development environments.
Complying with the GDPR, companies must prevent the accidental loss, alteration, distribution or unauthorized access to customers’ personal data by any third parties. Therefore, applying so-called depersonalization tools can help companies anonymize the personal data they do hold on their clients or customers.
The primary purpose of data depersonalization is to encrypt data in a manner that even by using additional information, third parties are unable to tell which personal data refers to a specific natural person: in other words, the relationship between the data and the person is definitively removed.
Deloitte says that domestic and international freight firms already have depersonalization tools; however, for much simpler processes own applications and software can be established. However, before a company decides to go for such solutions, they are highly advised to seek counselling, Deloitte cautions.
“GDPR clearly requires companies to delete personal data, which should be taken into account when designing and developing systems based on ‘privacy by design’ and ‘privacy by default’,” said Zoltán Szöllősi, senior manager of risk advisory services at Deloitte.
Szöllősi says that depersonalization may be an alternative solution, which is not equivalent to deletion, but leads to a similar result if the relationship between the data and the natural person is definitively eliminated.
“This requires a proper depersonalization concept and its implementation, which must be preceded by thorough assessment and planning so that the data controller avoids the risks arising from the procedure,” the senior manager adds.
Nevertheless, equipping a company with a depersonalization system is no quick fix; it is a lengthy and costly process that can involve several years of development and the investment of tens of millions of forints in a complex IT environment, according to calculations by Deloitte.
Essentially, if such transformed data is transferred from one database to another, the receiving database must be equipped with the means of transformation to be able to pair personal data with the respective individuals.
“Therefore, in complex business environments, development of such [depersonalization] tech solutions must be carried out in a way that data flows through the entire infrastructure, ensuring that the process does not pose a risk to daily data processing or the functioning of systems,” said Gergő Barta, IT project manager at Deloitte.
“Another important aspect of depersonalization is to make valuable data assets unrecognizable only to the extent that they meet legal requirements, but at the same time remain suitable for later use, such as for producing business reports and statistics,” he explains.
“It is not easy to find the right balance between business interests and legal compliance, so it is also important to design and apply the depersonalization strategy properly,” Barta warns.
SUPPORT THE BUDAPEST BUSINESS JOURNAL
Producing journalism that is worthy of the name is a costly business. For 27 years, the publishers, editors and reporters of the Budapest Business Journal have striven to bring you business news that works, information that you can trust, that is factual, accurate and presented without fear or favor.
Newspaper organizations across the globe have struggled to find a business model that allows them to continue to excel, without compromising their ability to perform. Most recently, some have experimented with the idea of involving their most important stakeholders, their readers.
We would like to offer that same opportunity to our readers. We would like to invite you to help us deliver the quality business journalism you require. Hit our Support the BBJ button and you can choose the how much and how often you send us your contributions.